The Smart Way to Block “Zero-Day” and Other DDoS Attacks

Cyber criminals continue to make their distributed denial of service (DDoS) attacks more sophisticated and more accessible to anyone looking to make use of them. As a result, many legacy DDoS mitigation solutions end up missing some, or all, of the bad traffic. Here are four ways that black hat hackers are making life miserable for network operators and security analysts:

  1. Low-threshold, sub-saturating, attacks which make it hard for legacy DDoS mitigation tools, or manual processes, to distinguish them from regular traffic.
  2. Multi-vector attacks, which are often automated to morph those vectors on the fly, every few seconds or minutes.
  3. Botnets, many of which are variants of previously released botnet code, such as Mirai.
  4. New protocols as attack vectors that haven’t been used previously; often known as “zero-day” attacks.

Let’s focus on that last point, zero-day attacks, which many DDoS mitigation solutions can’t defend against automatically because they don’t have intelligent mechanisms for blocking attacks that haven’t been seen before in the wild. Most DDoS solutions rely on rigid or historical filters, which is why an attack needs to have been seen previously to defend against it. However, like other modern endpoint and network security solutions you need dynamic intelligent protection which can look for indicators, as well as exact matches, in order block attacks that haven’t been seen previously.  To deliver its industry leading protection, Corero created a patented, proprietary, heuristic-based detection and mitigation mechanism called a Smart-Rule.  These rules continuously inspect every packet, looking for those which exhibit specific traits, or indicators, which identify them as potentially being part of a DDoS attack.  When repeated packets are seen with the same characteristics, this enables them to be accurately convicted as part of a DDoS attack and automatically blocked, even if that specific packet type has never been seen before. For example, in late 2016 Corero’s research team observed a Reflection/Amplification attack vector that leveraged LDAP authentication packets transported over UDP port 389.  This has since been referred to as a Connectionless Lightweight Directory Access Protocol Attack, or CLDAP for short.  This was discovered when a Corero SOC analyst analyzed an attack which had been blocked automatically by a Smart-Rule at one of our managed service customers.

When new attack vectors like this appear, it is critical to carry out forensic-level analysis to determine whether the entire attack was blocked and ensure no collateral damage occurred.  Once new attacks are fully understood they can be defended against using surgically accurate exact match filters. These custom exact match rules leverage closed-loop policy, allowing for rapid filter creation and deployment, thereby enabling the ability to respond dynamically to the evolving nature of today’s sophisticated DDoS attacks.

As an example, Corero’s exact match filters, known as FlexRules, enabled the Streamline Servers security team to create a new attack rule to mitigate TCP URG Flag attacks, an attack type that is now prevalent, but had not been used for DDoS attacks in the past 10 years. “SmartWall has undergone several updates since our initial deployment, which allows us to create significantly more flex rules, with greater levels of sophistication and fine tuning,” according to Nathan Harding, Chief Executive Officer, Streamline Servers.

With many of today’s DDoS attack techniques, it is just not possible for legacy mitigation solutions to accurately and rapidly discern good (legitimate) traffic from bad (DDoS) traffic. A modern DDoS mitigation solution automatically blocks only the bad traffic in real time, and allows good traffic to pass through uninterrupted, on a packet by packet basis, using granular detection mechanisms with surgical filters that automatically detect and block DDoS traffic.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions deliver protection for on-premise, cloud, virtual and hybrid environments, without the downtime associated with other solutions. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.